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DETAILED ACTION 



1. 



The response of 9/6/06 was received and considered. 



2. 



Claims 1-15 and 22-29 are pending. 



Continued Examination Under 37 CFR 1,114 



3. A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 9/6/06 
has been entered. 

Response to Arguments 

4. Applicant's arguments with respect to claims 1-2, 8, 15 and 22-23 have been 
considered but are moot in view of the new ground(s) of rejection. 



5. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

6. Claim 1 is rejected under 35 U.S.C. 112, second paragraph, as being indefinite 
for failing to particularly point out and distinctly claim the subject matter which applicant 
regards as the invention. 



Claim Rejections - 35 USC §112 
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7. Claim 1 recites the limitation "each cache entry" in line 7. There is insufficient 
antecedent basis for this limitation in the claim. 

Claim Rejections - 35 USC § 103 

8. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention Is not identically disclosed or described as set 
forth in section 1.02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

9. Claims 1, 6-8, 13-15, and 22-23 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Skene et al, hereinafter "Skene", (U.S. Patent Application Publication 
Number 2001/0052D16) in view of Ye (U.S. Patent Number 6,772,348), in further view 
of Coss et al., hereinafter "Coss", (U.S. Patent Number 6,170,012). 

Regarding claim 1, Skene discloses a computer system providing Internet protocol 
security without secure domain name resolution, the system comprising: 
a local domain name service (DNS) server (Fig. 1 , #1 1 0). Skene also discloses that a 
local DNS receives request messages including a domain name, after which the local 
DNS cache is searched to match the domain name (Fig. 4), but Skene lacks an IPSEC 
cache. However, Ye discloses a server (Col. 4, lines 8-14) communicatively computed 
to a processor/host computer (Fig, 2, #70), that includes a secure Internet security 
protocol (IPSEC) cache/cache table (Fig. 2, #120), wherein the secure IPSEC 
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cache/cache table, is readable only by an Internet protocol (IP) processing layer/IPSEC 
driver (Fig. 2, #72), of an operating system that controls execution of an application 
program by the processor/host computer, (Col. 5, lines 50-54). Ye lacks wherein each 
cache entry comprises information that uniquely associates the cache entry with a 
particular application process or execution time. 

However, Coss discloses wherein each cache entry comprises information that uniquely 
associates the cache entry with a particular application process or execution 
time/session key (fig. 4). 

Ye further discloses a security policy data store/policy agent (Fig. 2, #90), that is 

communicatively coupled to the IP processing layer/IPSEC driver, 

a computer-readable medium accessible to the processor/host computer, and 

comprising^one or more sequences of instructions which, when executed by the 

processor/host computer, cause the processor/host computer, to carry out. the steps of: 

receiving a message/incoming packet (Fig. 4, #84), generated as a result of execution 

of the application program that contains a domain name (Fig. 6, #160); 

receiving a data packet from the application (fig. 4, #84 and fig. 6, #160); 

in response to receiving the data packet from the application, searching the secure 

IPSEC cache/cache table, for an entry that matches the domain name (Fig. 6, #164).. 

Ye lacks wherein the searching comprises using the information that uniquely 

associates the cache entry with a particular application process or execution time to 

verify that the domain name in the entry matches the domain name contained in the 

message. 
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However, Qoss discloses wlierein the searching connprlses using the information that 
uniquely associates the cache entry with a particular application process or execution 
time/session key (fig. 5A, #502 & col. 6, lines 36-37) to verify that the domain name in 
the entry matches the domain name contained in the message (Coss, fig. 5, #502-504). 
Ye further discloses querying the security policy data store/policy agent, for an IPSEC 
policy/SA (Security Association) (Ye, Fig. 4, #136), matching the domain name (Ye, Fig. 
6, #166). Ye lacks wherein the IP processing layers verifies that the policy matches the 
domain name contained in the message. However, Coss discloses wherein the IP 
processingJayers verifies that the policy matches the domain name contained in the 
message (fig. 5, #502-504). Ye discloses in response to obtaining an IPSEC policy, 
applying the IPSEC policy/SA, to the data packet/incoming packet, (Ye, Fig. 6, #178), 
and purging the matching entry from the cache (Ye, Fig. 6, #180), wherein the secure 
IPSEC cache/cache table, comprises a plurality of cache entries (Ye, Fig. 4, #124). 
It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to modify Skene's client (fig. 1 , #112), to include a processor, security policy 
data store, IPSEC cache, and a computer-readable medium as described by Ye. One 
of ordinary skill in the art would have been motivated to perform such a modification to 
provide a method for retrieving security policies at an enhanced speed as taught by Ye 
(col. 2, lines 17-32)^ 

It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to modify the device of Skene as modified above by Ye, with the device of 
Coss, in order to verify the domain name in the policy entry matches the domain name 
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in the pacl^et, in order to validate the pacl<et may securely pass through the firewall as 
taught by Coss (col. 6, lines 16-25). 

Regarding claim 2, .Skene as modified above discloses a computer system as recited in 
claim 1, wherein the secure IPSEC cache comprises a plurality of cache entries wherein 
each cache entry comprises a DNS name one or more corresponding IP addresses 
(1I[0061]). 

Regarding claims 3 and 4, Skene as modified above, discloses a computer system as 
recited in claim 2, wherein the step of searching the secure IPSEC cache/cache table, 
further comprises the step of searching the secure IPSEC cache/cache table, for an 
entry that matches a process identifier/filter flag (Ye, Fig. 4, #136), of the application 
program (Ye, Col. 6, lines 56-60), based on the information that uniquely associates the 
cache entry with a particular application process or execution time/communication 
stream (Ye, Col. 7, 113), wherein the information that uniquely associates the cache 
entry with a particular applibation process or execution time/communication stream, 
comprises a process identifier value/filter flag, and a transaction identifier value/index 
value (Ye, Fig. 6, #162). 



Regarding claim 5, Skene as modified above, discloses a computer system as recited in 
claim 4, wherein the step of searching the secure IPSEC cache/cache table, further 
comprises the step of searching the secure IPSEC cache/cache table, for an entry that 
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matches a process (Ye, Fig. 6, #168) and transaction (Ye, Fig. 6, #162) associated with 
the application program/communication stream, based on the process identifier 
value/filter flag, and transaction identifier value/index value, in the cache. 

Regarding claim 6, Skene as modified above, discloses a computer system as recited in 
claim 1, further comprising the step of querying the security policy database/policy 
agent, for an IPSEC policy/SA, based on an IP address (Ye, Col. 2, lines 26-32 & Col. 
7, lines 5-9). The invention of Ye discloses a system that derives an index value based 
on a packet's IP address (Ye, Col. 7, lines 5-9). The index value is used to search for a 
matching SA from the cache table (Ye, Col. 7, 115 to Col. 8, HI). 

Regarding claim 7, Skene as modified above, discloses a computer system as recited in 
claim 1, further comprising the steps of: receiving a request to resolve a DNS name into 
network addresses/IP address, resolving the DNS name using the local DNS server 
(Fig. 4, #202), resulting in generating one or more network addresses/IP addresses, 
corresponding to the DNS name, determining identifier information/filter flag, that 
uniquely associates the request with a particular application process or execution 
time/communication stream, and storing the DNS name, the network addresses/IP 
addresses, and the identifier information/filter flag, as an entry in the secure IPSEC 
cache/cache table, (Col. 7, lines 9-36). 
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Claim 8 is substantially equivalent to claim 1 and therefore rejected under similar 
rational. 

Claims 9-12 are substantially equivalent to claims 2-5 and therefore rejected under 
similar raticfnale. 

Claims 13-14 are substantially equivalent to claims 6-7 and therefore rejected under 
similar rational.. 

Regarding claims 15 and 22, Skene discloses a computer-readable medium carrying 
one or more sequences of instructions for providing Internet protocol security without 
secure domain name resolution, which instructions, when executed by one or more 
processors/host computer, cause the one or more processors/host computer, to carry 
out the steps of: 

Skene lacks or does not expressly disclose an IPSEC cache. 

However, Ye discloses a receiving a message/incoming packet, generated as a result of 
execution of an application program/communication stream, and that contains a domain 
name (Fig. 4, #202), receiving a data packet from the application/incoming packet; 
in response to receiving the data packet/incoming packet, from the application, 
searching a secure Internet security protocol (IPSEC) cache/cache table, for an entry 
that matches the domain name (Fig. 4, #203) wherein the secure IPSEC cache/cache 
table, is communicatively coupled to a local domain name service (DNS) server (Fig. 1 , 
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#110), and wherein the secure IPSEC cache/cache table, is readable only by an 
Internet protocol (IP) processing layer/IPSEC driver, of an operating system that 
controls execution of the application program/communication stream. 
Ye lacks or does not expressly discloses verifying that the domain name in the entry 
matches the domain name contained in the message. However, Coss discloses and 
wherein each cache entry comprises information that uniquely associates the cache 
entry with a particular application process or execution time/session key, (fig. 4); and 
further wherein the searching comprises using the information that uniquely associates 
the cache entry with a particular application process or execution time/session key, to 
verify that the domain name in the entry matches the domain name contained in the 
message (fig. 5, #502 and col. 6, lines 36-37). 

Ye further discloses in response to obtaining an IPSEC policy, querying a security policy 
data store/policy agent, that is communicatively coupled to the IP processing 
layer/IPSEC driver, for an IPSEC policy/SA, matching the domain name (fig. 6, #166). 
Ye lacks wherein the IP processing layers verifies that the policy matches the domain 
name contained in the message. However, Coss discloses wherein the IP processing 
layers verifies that the policy matches the domain name contained in the message (fig. 
5, #502-504). Ye discloses applying the IPSEC policy/SA, to the data packet/incoming 
packet, and purging the matching entry from the cache (Ye, Fig. 6, #180). 
It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to modify Skene's client (fig. 1, #112), to include a processor, security policy 
data store, IPSEC cache, and a computer-readable medium as described by Ye. One 
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of ordinary skill in the art would have been motivated to perform such a modification to 
provide a method for retrieving security policies at an enhanced speed as taught by Ye 
(col. 2. lines 17-32). 

It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to modify the device of Skene as modified above by Ye, with the device of 
Coss, in order to verify the domain name in the policy entry matches the domain name 
in the packet, in order to validate the packet may securely pass through the firewall as 
taught by Coss (col. 6, lines 16-25). 

Regarding claim 23, Skene discloses an apparatus for providing Internet protocol 
security, without secure domain name resolution, for messages that are carried by a 
packet-switched data network (Ye, Fig. 2), comprising: 

a network interface that is coupled to the data network for receiving one or more packet 
flows therefrom (Ye, Fig. 2, #84), a processor/host computer, one or more stored 
sequences of instructions which (Ye, Col. 3, lines 2-4), when executed by the 
processor/host computer, cause the processor/host computer, to carry out the steps of: 
receiving a message/incoming packet, generated as a result of execution of an 
application program/communication stream, and that contains a.domain name (Skene, 
Page 4, Col. 1, lines 17-20); receiving a data packet/incoming packet (fig. 4, #84); in 
response to receiving the data packet/incoming packet, from the application, searching 
a secure Internet security protocol (IPSEC) cache/cache table, for an entry that matches 
the domain name (Ye, Fig. 6, #164), wherein the secure IPSEC cache/cache table, is 



Application/Control Number: 10/023.622 Page 1 1 

Art Unit: 2134. 

communicatively coupled to a local domain name service (DNS) server (Fig. 1 , #1 10), 
and wherein the secure IPSEC cache/cache table, is readable only by an Internet 
protocol (IP) processing layer/IPSEC driver, of an operating system that controls 
execution of the application program, (Ye, Col. 5, lines 50-54). Ye lacks or does not 
expressly discloses verifying that the domain name in the entry matches the domain 
name contained in the message. However, Coss discloses and wherein each cache 
entry comprises information that uniquely associates the cache entry with a particular 
application process or execution time/session key, (fig. 4); and further wherein the 
searching comprises using the information that uniquely associates the cache entry with 
a particular application process or execution time/session key, to verify that the domain 
name in the entry matches the domain name contained in the message (fig. 5, #502 and 
col. 6, lines 36-37). 

Ye further discloses in response to obtaining an IPSEC policy, querying a security policy 
data store/policy agent, that is communicatively coupled to the IP processing 
layer/IPSEC driver, for an IPSEC policy, matching the domain name (Ye, Fig. 6, #166). 
Ye lacks wherein the IP processing layers verifies that the policy matches the domain 
name contained in the message. However, Coss discloses wherein the IP processing 
layers verifies that the policy matches the domain name contained in the data packet 
(fig. 5, #502-504). Ye discloses applying the IPSEC policy/SA to the message/incoming 
packet (Ye, Fig. 6, #178), and purging the matching entry from the cache (Ye, Fig. 6, 
#180). 
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It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to modify Skene's client (fig. 1, #112), to include a processor, security policy 
data store, IPSEC cache, and a computer-readable medium as described by Ye. One 
of ordinary skill in the art would have been motivated to perform such a modification to 
provide a method for retrieving security policies at an enhanced speed as taught by Ye 
(col. 2, lines 17-32). 

It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to modify the device of Skene as modified above by Ye, with the device of 
Coss, in order-to verify the domain name in the policy entry matches the domain name 
in the packet, in order to validate the packet may securely pass through the firewall as 
taught by Coss (col. 6, lines 16-25). 

Claims 24-29 are substantially equivalent to claims 2-7 and therefore rejected under 
similar rational. 

Conclusion 

4. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Aubrey H. Wyszynski whose telephone number is 
(571)272-8155. The examiner can normally be reached on Monday - Thursday, and 
alternate Friday's. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on (571)272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status infomriation for 
published appljcations may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



AHW 




GILBERTO BARRON of 
SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 



